CVE-2017-3375 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Advanced Outbound Telephony, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data as well as unauthorized update, insert or delete access to some of Oracle Advanced Outbound Telephony accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/15/2026
The vulnerability identified as CVE-2017-3375 resides within the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite, specifically affecting the User Interface subcomponent. This weakness manifests in multiple supported versions including 12.1.1 through 12.2.6, creating a widespread exposure across the Oracle E-Business Suite ecosystem. The vulnerability's classification as easily exploitable indicates that attackers can leverage network-based HTTP access without requiring authentication credentials, presenting a significant security risk to organizations utilizing these Oracle applications. The attack vector operates through standard HTTP protocols, making it particularly dangerous as it can be executed from external networks without requiring insider knowledge or privileged access.
The technical flaw represents a critical access control vulnerability that enables unauthorized individuals to compromise the Oracle Advanced Outbound Telephony functionality. This weakness allows attackers to gain unauthorized access to sensitive data and potentially modify or delete information within the telephony system. The vulnerability's impact extends beyond the immediate component, as successful exploitation can affect additional Oracle products within the broader E-Business Suite environment. The CVSS v3.0 base score of 8.2 reflects the severity of both confidentiality and integrity impacts, indicating that attackers can potentially access critical data or achieve complete access to all accessible data within the telephony system. The requirement for human interaction from individuals other than the attacker suggests that social engineering or targeted phishing attacks may be necessary to initiate the exploitation process, though the underlying vulnerability remains easily accessible once triggered.
Operational impact of this vulnerability is substantial as it can result in unauthorized access to sensitive telephony data, including customer communications, call records, and potentially personal information. The ability to perform unauthorized update, insert, or delete operations creates risks of data corruption, manipulation, or complete data loss within the telephony system. Organizations may face regulatory compliance issues if customer data is compromised, particularly in industries subject to data protection regulations such as healthcare, finance, or telecommunications. The vulnerability's presence across multiple versions of Oracle E-Business Suite means that organizations must assess their entire application landscape to determine exposure levels. The potential for additional product impacts indicates that this vulnerability could serve as a stepping stone for attackers to compromise other Oracle components within the same environment, amplifying the overall security risk.
Mitigation strategies should focus on immediate patching of affected Oracle E-Business Suite versions, with organizations prioritizing the implementation of security updates from Oracle's official sources. Network segmentation and access controls should be implemented to limit exposure of the vulnerable component to unauthorized users, while monitoring systems should be deployed to detect potential exploitation attempts. Organizations should also conduct comprehensive vulnerability assessments across their entire Oracle E-Business Suite environment to identify other potentially affected components. The vulnerability aligns with CWE-284, which addresses improper access control issues, and may be exploited through techniques consistent with ATT&CK tactics related to initial access and privilege escalation. Regular security audits and penetration testing should be conducted to ensure that the implemented controls remain effective against evolving threat landscapes and that no other vulnerable components exist within the Oracle environment.